> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withgiga.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Attack Methodology

> The 10-phase chain GigaOps executes on every Deep engagement

# Attack Methodology

GigaOps follows a structured 10-phase methodology modeled on real-world adversary operations. Deep audits run all 10 phases; Shallow audits stop after phase 6; Autonomous audits follow the methodology you brief.

## Baseline scan (before the agent starts)

Before GigaOps begins its attack chain, a deterministic **baseline scanner** runs against the target and produces its own set of findings:

* **Security headers** — checks for HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and similar headers with specific remediation guidance per missing header
* **Common path probe** — checks well-known sensitive paths (`.env`, `/.git/config`, `/wp-admin/`, `/actuator/env`, `/api/swagger`, and others)
* **Nuclei templates** — runs in parallel with the agent, capped to the remaining time budget so it cannot overrun the audit window

Baseline findings are deterministic and fully structured. They are deduplicated against agent findings before the final audit is written — if the agent independently discovers the same issue, it appears once.

## The 10 phases

### Phase 1 — Passive Reconnaissance

Before touching the target, GigaOps gathers context from public sources. No traffic to the target's infrastructure.

* WHOIS and DNS records
* Certificate Transparency logs (crt.sh)
* Wayback Machine for historical endpoints
* Search engine dorking
* GitHub / GitLab leaked secrets reconnaissance
* Technology fingerprinting from public sources

### Phase 2 — Subdomain Enumeration

GigaOps queries seven passive OSINT sources to build a complete subdomain map, then validates which are alive. See [Subdomain Enumeration](/how-it-works/subdomain-enumeration) for the full source list.

### Phase 3 — Port & Service Scanning

Network-level discovery using `nmap -T2` (low-noise) by default, `masscan` for wide ranges.

* TCP/UDP port discovery
* Service version detection
* TLS configuration analysis
* Banner grabbing

### Phase 4 — Web Fingerprinting

For HTTP/S services, identify the stack:

* `whatweb` and `httpx` for application fingerprinting
* `wafw00f` for WAF detection
* CMS / framework / library version identification
* Endpoint discovery via crawling and content discovery (`feroxbuster`, `ffuf`)

### Phase 5 — Vulnerability Scanning

Active probing for known vulnerability classes:

* `nuclei` with curated template sets
* `dalfox` and `xsstrike` for XSS surface
* `wfuzz` and `ffuf` for parameter discovery and injection points
* Custom probes for SSTI, XXE, SSRF, deserialization, CORS misconfiguration
* JWT analysis with `jwt_tool`

### Phase 6 — Exploitation

Confirm vulnerabilities by exploiting them. The agent captures evidence as proof, but in Shallow mode stops at PoC level.

* `sqlmap` for SQL injection (Deep mode: `--level 5 --risk 3`)
* `commix` for command injection
* `tplmap` for template injection
* `XXEinjector` for XXE
* `ssrfmap` for SSRF
* Custom exploitation chains for chained findings

**Shallow audits stop here.** The remaining phases only run in Deep and Autonomous modes.

### Phase 7 — Authentication Attacks

Test the auth surface:

* Credential stuffing against captured username lists
* `hydra` for service brute force (rate-limited)
* JWT manipulation, signature stripping, algorithm confusion
* OAuth flow analysis (PKCE downgrade, redirect\_uri confusion, scope abuse)
* Session fixation, predictable session IDs
* Password reset flow analysis

### Phase 8 — Post-Exploitation

After initial compromise, escalate and explore:

* `linpeas` and `pspy` for Linux privilege escalation
* Kernel exploit identification
* `impacket` suite for Windows / AD post-ex
* `bloodhound` for AD attack path analysis
* Credential harvesting from memory and disk
* Service account discovery

### Phase 9 — Lateral Movement

Pivot from initial foothold to additional systems:

* `crackmapexec` for SMB / WinRM lateral movement
* `evil-winrm` for interactive shells
* Token impersonation and pass-the-hash
* Pivot through internal networks via SSH or `ligolo-ng`

### Phase 10 — Persistence & Exfiltration Testing

Demonstrate full impact:

* Persistence mechanism testing (cron, systemd, scheduled tasks)
* DNS tunneling (`dnscat2`, `iodine`) for exfil path validation
* Data exfiltration over allowed protocols
* Cover-track / log-cleaning behavior assessment

## Phase ordering and pivots

The methodology is not strictly linear. GigaOps continuously re-plans:

* A finding in phase 5 may prompt deeper scanning in phase 3
* A credential captured in phase 7 may unlock new targets requiring phase 2 enumeration
* A pivot in phase 9 may reveal new web surface, triggering phases 4–6 against internal hosts

The agent decides what to do next based on what it just discovered.

## When the methodology stops

GigaOps stops a phase when:

* The phase's objectives are exhausted (no new findings produced in the last iteration)
* The audit's time budget is approaching expiry (agent transitions to report writing)
* The phase produced findings that warrant deeper exploration in a later phase

## Modes recap

| Phase                      | Shallow | Deep | Autonomous           |
| -------------------------- | ------- | ---- | -------------------- |
| 1–6 (recon → exploitation) | ✓       | ✓    | Optional (per brief) |
| 7 (auth attacks)           | —       | ✓    | Optional (per brief) |
| 8 (post-exploitation)      | —       | ✓    | Optional (per brief) |
| 9 (lateral movement)       | —       | ✓    | Optional (per brief) |
| 10 (persistence / exfil)   | —       | ✓    | Optional (per brief) |

In Autonomous mode, the brief defines which phases run and in what order.

## Next steps

<Columns cols={2}>
  <Card title="The GigaOps Agent" icon="brain" href="/how-it-works/gigaops-agent">
    How the agent plans and executes each phase.
  </Card>

  <Card title="Toolkit" icon="screwdriver-wrench" href="/how-it-works/toolkit">
    The full tool inventory in the darkops sandbox.
  </Card>
</Columns>
